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Abstract 

Suppose Alice and Bob receive strings X = (Xi, . . . , X n ) and Y = 
(Yi , . . . , Y n ) each uniformly random in [s] n but so that X and Y are 
correlated . For each symbol i, we have that Yi = Xi with probability 
1 - e and otherwise Yj is chosen independently and uniformly from [s]. 

Alice and Bob wish to use their respective strings to extract a uni- 
formly chosen common sequence from [s] k but without communicat- 
ing. How well can they do? The trivial strategy of outputting the first 
k symbols yields an agreement probability of (1 - e + e/s) . In a recent 
work by Bogdanov and Mossel it was shown that in the binary case 
where s = 2 and k = k(e) is large enough then it is possible to extract 
k bits with a better agreement probability rate. In particular, it is 
possible to achieve agreement probability {key 1 ! 2 . 2~' ce /( 2 ( 1 - e / 2 )) using 
a random construction based on Hamming balls, and this is optimal 
up to lower order terms. 

In the current paper we consider the same problem over larger al- 
phabet sizes s and we show that the agreement probability rate changes 
dramatically as the alphabet grows. In particular wc show no strat- 
egy can achieve agreement probability better than (1 - e) fc (l + S(s)) k 
where S(s) -^Oass^oo. We also show that Hamming ball based con- 
structions have much lower agreement probability rate than the trivial 
algorithm as s -»■ oo. Our proofs and results are intimately related to 
subtle properties of hypercontractive inequalities. 
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1 Introduction 



For an integer s > 2, consider two [s] n -valued random variables X, Y (where 
[s] = {0, 1, . . . , s - 1}) which are sampled by first choosing X uniformly and 
then, independently for every coordinate i, taking Yi to be a copy of Xj 
with probability 1 - e and an independent sample from [s] otherwise. We 
will write ¥ e for this joint distribution on X and Y. Note that X and Y are 
both uniformly distributed in [s] n . 

The non- interactive correlation distillation (NICD) is defined as follows: 
suppose that one party (Alice) receives X and another (Bob) receives Y. 
Without any communication, each party chooses a string that is uniformly 
distributed in [s] k with the goal of maximizing the probability that the two 
strings chosen by Alice and Bob are identical. 



1.1 Motivation and Related Work 

This problem was studied in [l] in the case s = 2, with motivation from 
various areas. One major motivation comes from the goal of extracting a 
unique identification string from process variations [3 12, particularly in a 
noisy setup [9]. 

The case where the goal of the two parties is to extract a single bit was 
studied independently a number of times; in this case the optimal protocol 
is for the two parties to use the first bit. See [Tl] for references and for 
studying the problem of extracting one bit from two correlated sequences 
with different correlation structures. 

In |4,5| a related question is studied: if m parties receive noisy versions 
of a common random string, where the noise of each party is independent, 
what is the strategy for the m parties that maximizes the probability that the 
parties agree on a single random bit of output without communicating? [I] 
shows that for large m using the majority functions on all bits is superior 
to using a single bit and |5j uses hypercontractive inequalities to show that 
for large m, majority is close to being optimal. Both results were recently 
extended to general string spaces in J6]. 

For any fceN, one protocol - which we will call the "trivial protocol" - 
is for both parties to take the first k symbols of their strings. The success 
probability of this protocol is (1 - (1 - ^)e) fc ~ exp(-fce(l - -)). When s = 2 
and the protocol outputs a single bit (ie. k = 1), it is known (see e.g. (3) that 
the optimal protocol is for both parties to choose the first bit. For larger k, 
this is no longer true. Bogdanov and Mossel [l] studied the case s = 2, and 
showed that any protocol which outputs a uniformly random length-A; string 
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has a success probability of at most exp(-/ce(ln2)/2). In other words, if p 
is the success probability of the trivial algorithm for choosing a fc-bit string, 
then every protocol with success probability at least p emits at most /c/ln2 
bits. 

Bogdanov and Mossel showed that their bound was sharp by providing 
an example (for a restricted range of e and k) with success probability which, 
for any 5 > 0, is at least exp(-A:e(l + 5)/2) for small e and large k. In other 
words, if p is the success probability of the trivial algorithm for choosing a 
k-bit string, then they gave a protocol that succeeds with probability p and 
produces a string of length k/((l + 5) ln2). Their construction was built by 
taking random translations of Hamming balls; we will return to it in more 
detail later. 

1.2 Our results 

We study an extension of the upper bound of [I] to a larger alphabet. In our 
main result we show that in the case of large alphabets, the constant-factor 
gap between the upper bound and the performance of the trivial algorithm 
vanishes; hence, the trivial algorithm is almost optimal for large alphabets. 
In particular we show no strategy can achieve agreement probability better 
than (1 - e) fc (l + 5(s)) k where 5(s) -» as s -> oo. 

We then turn to analyze generalizations of the Hamming ball based con- 
struction of [I] . Interestingly we show that these have much lower agreement 
probability rate than the trivial algorithm as s oo. 

In this respect it is interesting to compare the case of a large number of 
parties that extract a single symbol to the case of two parties who extract a 
longer string. In the first case, the results of [6] generalize those of [1J[5] to 
show that Hamming ball based protocols are almost optimal for all values 
of s when the number of parties m is large. In the case presented here, 
Hamming ball type constructions quickly deteriorate as s increases and the 
trivial protocol becomes almost optimal. 

The difference between the two phenomena may be explained by the fact 
that the problem studied in |4|5] is closely related to reverse- hypercontractive 
inequalities which hold uniformly in s [6], while the problem studied here 
is closely related to hypercontractive inequalities which deteriorate as s in- 
creases. 

Our results show that the trivial algorithm is optimal up to a factor of 
(l + 5(s)) k where <5(s)-*0ass->-oo. An interesting open problem is to find 
an almost optimal algorithm for large s, i.e., an algorithm whose agreement 
probability is provably optimal up to a factor of 2~°( k ^ . It is quite possible 
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that the trivial protocol is optimal for some large fixed values of s and all 
large enough k. 

2 Definitions and results 

A protocol for NICD is defined by two functions /, g : [s] n -> [s]* . Upon 
receiving their strings X, Y e [s] n , the two parties compute f{X) and g(Y) 
respectively. The protocol is successful if both parties agree on the same 
output; that is, if f(X) = g(Y). Therefore, finding an optimal NICD algo- 
rithm is equivalent to finding functions f,g : [s] n -> [s]* which maximize 
F e (f(X) = g(Y)). 

In the introduction, we mentioned the requirement that / and g are 
uniformly distributed on [s] k . In fact, we will require less for our negative 
results and guarantee more in our positive results. In particular, for our 
negative results, we will only assume that / and g have min-entropy at most 
k, meaning that F(f(X) - z) < s~ k for all z € [s]* and similarly for g. Of 
course, if / : [s] n -» [s] k is uniformly distributed then it has min-entropy k. 

2.1 Reduction to a question about sets 

Using an observation of [I] , we can reduce the NICD problem to the problem 
of finding a sets A c [s] n which maximize F e (Y e A\X e A). On the one 
hand, if we are given good functions / and g then we can find a set A such 
that F(Y g A\X e A) is large: 

Theorem 2.1. For any functions f,g ■ [s] n -> [s]* having min-entropy k 
there is a set A c [s] n with \A\ < s n ~ k such that for every < e < 1, 

F e (YeA\XeA)>F e (f(X) = g(Y)). 

On the other hand, if we have a good set A then we can construct a 
function / by taking certain translates of A. 

Theorem 2.2. If Ac [s] n with < \A\ < ^s n ~ k then there is a function 

f : [s] n -»■ [s] k such that 

1. f(X) is uniformly distributed on [s] k 

2. f(X) is uniformly distributed on [s] k conditioned on f(X) = f(Y) 

3. for every < e < 1, 

F e (f(X) = /(F)) > ^-F t (Y g ,4|X g A). 
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Note that the / that we produce in Theorem 2.2 satisfies stronger re 



quirement than the one that we require in Theorem 2.1 Indeed, the / from 



Theorem 2.2 is uniformly distributed instead of only having a small mini- 
mum entropy. Moreover, f{X) is uniformly distributed given f(X) = f(Y), 
which means that a successful execution of the protocol will result in the 
two parties having uniformly random strings. 

2.2 Negative results on the performance of NICD 



In view of Theorems |2.1| and |2.2[ the NICD problem reduces to the study 
of P t (Y 6 A\X e ^4) over sets A c [s] n with a given cardinality. Actually, 
it turns out to be more convenient to normalize the cardinality instead of 
restricting it: 

Definition 2.3. For A c [s] n , define 

lnP e (y e A\X 6 A) 



M e (A) = 



hiF(A) 



To illustrate the definition, consider the set A = {x ■ x\ = ■ ■ ■ = x^ = 0}, 
which corresponds to the trivial algorithm that selects the first k symbols. 
In this case, F e (Y e A\X 6 A) = (1 - (1 - s- 1 )e)) k . Since F(A) = s~ k , it 
follows that 



Our main result is that the above example is optimal as s -> oo. 

Theorem 2.4. For every 5, e > there exists S < oo such that for all n e N 
and all s > S, any set A c [s] n satisfies 



Ins* 1 - e ' 



Note that since lnP(yl) is negative, Theorem |2.4| provides an upper 
bound on P e (7 e A \ X e A) for all sets A of a fixed probability, and 
therefore an upper bound on the agreement probability of any NICD proto- 
col. We remark that our proof extends to the case where the Xj are chosen 
independently from some distributions whose smallest atoms are at most a. 
In this case, the theorem holds with s replaced by 1/a. 

As a corollary of Theorems |2.1| and |2.4[ we obtain a bound on the per- 
formance of any NICD protocol. 
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Corollary 2.5. For any 5, e > 0, there exists S < oo such that for all n,k eN, 
/or any s > S, and for any NICD protocol f, g on [s] with min entropy at 
most k, the probability that the protocol succeeds with noise e is at most 
(l-e) k e 5k . 

Since the success rate of the trivial protocol with min-entropy k is bigger 
than (1 - e) k , this shows that for large s, no protocol can be succeed with 
much higher probability than the trivial protocol. 

Proof. Fix a protocol f,g and let A be a set such that \A\ < s n ~ k and ¥ e (Y e 



A\X e A) > P e (/(X) = g(Y)) (such an A exists by Theorem [2JJ. Then 
Theorem |2,4| implies (recalling that lnP(A) is negative) 



lnP e (y e A\X e A) < lnP (^) [ log JL _ A < _jJ log _JL _ 5 \ 

In s ^ 1 - e ' V 1 - e ' 

Taking the exponential of both sides yields the corollary. □ 



Of course, we can also restate Corollary 2.5 for a fixed probability of 
success and a varying k: 

Corollary 2.6. For any 5, e > 0, there exists S < oo suc/i £/ta£ for all n e N, 
/or all < p < 1, for any s > S, and for any NICD protocol /, g i/iat succeeds 
with probability at least p, if k is the min-entropy of the protocol then the 
trivial protocol on L^l^jr~^+<5 -I symbols also succeeds with probability at least 
p. 

In other words, for a fixed probability of failure, a trivial protocol can 
recover almost as many symbols as any other protocol (when s is large). 

The dependence of S on 5 and e is not made explicit in our proof. How- 
ever, our proof does provide a way to approximate S(5, e) on a computer; 
therefore, we produced a plot (Figure [l]) showing the approximate value of 
S for various values of 5 and e. 



2.3 An example: the Hamming ball 

As we have already mentioned, |1| showed that when s = 2, the trivial 
algorithm is optimal up to a constant factor; As we have just seen, this 
constant factor converges to 1 as s -*■ oo. However, [l] also gave a positive 
result: they gave an example that achieves optimal performance (at least, 
up to lower order terms and for a particular range of k and e). Since their 
example can be generalized to s > 2, we can examine its performance as 
s -> oo, and compare it to the trivial algorithm. 
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Figure 1: The relationship, in log-log scale, between S and 8 in Theorem 2.4 
for various values of e: 0.5 (solid), 0.1 (dashed), and 10~ 3 (dotted). For each 
of these values of e, every point (s,5) that is above the corresponding line, 
and every n e N, all sets A c [s] n satisfy M e (A) > j^-(ln ^ - 5). 



Define the set 

A St a, n = [s] n ■ #{i -Xi^O} < n —j- - aVn\. 

In other words, A SiCc ^ n is a Hamming ball around zero of radius re^- -ccy/n. 
When s = 2, [j] showed that M e (A 2>a , n ) w e/2 as n,t -> oo and e -> (note 
that this does not contradict Theorem |2.4[ which only holds for sufficiently 
large s). Since the trivial algorithm has M e (A) w e/(21n2) for small e, this 
shows that the Hamming ball NICD protocol is better than the trivial one 
for s = 2. The situation reverses, however, as s grows: 

Proposition 2.7. There exists a constant c such that for any s,a and e, 

lim M e (A sa , n ) ^ ce. 

Since the trivial algorithm has M e (A) ~ e/lns, it is better than the 
Hamming ball protocol when s is large. In terms of the agreement proba- 
bility, an argument like the proof of Corollary |2.5| shows that the agreement 
probability of the Hamming ball protocol is at most (1 - e) cfclns . In terms 
of the number of recovered symbols, the Hamming ball protocol with the 
same agreement probability as the fc-symbol trivial protocol can only recover 
ck/\ns symbols. 
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3 Reduction to a single set 



In this section, we will prove Theorems 2.1 and |2.2[ which reduce the NICD 
problem to a question about optimal subsets of [s] n . The proof of Theo- 
rem 2.1 is straightforward, and essentially follows directly from the Cauchy- 



Schwarz inequality. 

Proof of Theorem 2.1. Suppose that f,g : [s] n -> [s] k have min-entropy k. 
For z e [s] k , let f z : [s] n -> {0, 1} be the function 



fz(x) = 



Define g z {x) similarly. Then 



[1, if /(*) = *, 
i 0, otherwise. 



,(f(X) = 9 (Y))= Y, K(f(X) = g(Y) = z) 

ze[s] k 

= Y, ®fz(X)g z (Y) 

ze[s] k 

< Y V^fz(X)f z (YWEg z (X)g z (Y) 

ze[s] k 



< Y ®fz(X)fz(Y) Y ^9z(X)g z (Y), 

where both inequalities are Cauchy-Schwarz. 

For each z e [s] k , let A z be the set f~ 1 (z). Since / has min-entropy k, 
\A Z \< s n ~ k for all z. Let A be the A z which maximizes F € [Y e A z \ X e A z ]. 
Then 

£ Ef z (X)f z (Y) = Y Ve(f(X) = f(Y) = z) 

ze[s] k zz[s] k 

= Y Pe(f(X)=z)F e (Y€A z \X£A z ) 
ze[s] k 

< F e (Y e A \ X e A). □ 



The idea behind Theorem 2.2 is, given a set A c [s] n with |s n < |A| < 
\s n ~ k , to construct a partition of [s] n out of randomly translated copies 
of A. Let C c [s] n , |C| = s k be the set of "centers." We will choose C 
randomly; we will say how to choose it later. Let fc '■ [s] n -* C to be some 



S 



function with the property that if x e A + c for a unique ceC then fc(x) = c. 
Clearly, then, 

F e (f c (X) = f c (Y)) > P e (3!c e C such that I,7ei + c). (2) 
The goal is to find a C which makes the right-hand side large; this will allow 



us to prove property 3 in the second part of Theorem 2.1 



Note, by the way, that it is sufficient to prove Theorem 2.2 with [s] k 
replaced by an arbitrary set C satisfying |C| = s k . Since such a C is in 
bijection with [s] k , the theorem as stated will follow. 

Lemma 3.1. Suppose that C is chosen (randomly) such that for any a,bz 
[s] n , P(a,6e C) = s 2 ^. Then 

E c F € (f c (X) = f c (Y)) > -^P(e(Y e A | X 6 A). 

lb 

In particular, there exists a fixed C such that fc satisfies property 3 of 
Theorem IK 



Proof. We begin from the right-hand side of ([2]): 

P £ (]!ceC such that I,7ei + c) (3) 

> E c E K(X,Y€ A c ) (l-Y, We(X or Y e A d \ X,Y e A c ) ) 

- s fc E c P e (X, y 6 Ac) (l - (s fe - l)M & ¥ e (X or Y £A C ,\X,Y t A c )) . (4) 

By our assumption on the distribution of C, c' + c is uniformly random given 
c. Thus 

E c ,P e (X orFe^lI.Ye A c ) < 2E c /P e (X e | X, Y e A c ) 

< 2P e (X e A) < s _fc /2, 

where the last line follows because \A\ < s n ~ k /4. 
Plugging this into Q , 

E C P £ (/(X) = f{Y)) > yP e (X,y e A) = Pi(7E ^ £i) . □ 

To check properties 2 and 3, we need to be a little more specific about 
our choice of fc- So far, we have only assumed that fc(x) = c if c is the 
only member of C with x e A + c. Now, take < to be some total order 
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on [s] n with the property that x < y whenever x e A,y £ A. Then define 
fc( x ) = ar g m i n cec( x _ c ) (where the arg min is taken with respect to the 
ordering <). This defines fc on all of [s] n , and it has the property that 
we required before: if /c(x) e A + c for a unique c, then fc(x) - c € A and 
fc{x)-c' ^ A for every c' # c. By our requirement on <, fc(x)-c < fc( x )-c' 
for every c' ± c and so fc(x) = c. 

Lemma 3.2. // there is a subgroup G c ([s]™,+) and some a € [s] n such 
that C = G + a, then fc satisfies properties 1 and 2 of Theorem\2.2\ 



Proof. For any g e G, 

fc(x + g) = arg min ceC (x ~(c-g))=g + arg min ceC _ g (x - c) = f c (x) + g, 

since C - g - C. Moreover, note that the distribution of (X, Y) is invariant 
under translation, in the sense that for any fixed g e [s] n , (X, Y)+g = (X, Y). 
Hence, 

F(f(X) = c) = P(/(X + g) = c) = P(/(X) = c + 5 ) 

for any c € C,g € G. Since G acts transitively on C, this implies that 
¥(f(X) = c) = 1/|C| = in other words, f(X) is distributed uniformly on 
C. 

Similarly, 

P(/PQ = f(Y) = c) = P(/(X) = f(Y) = c + g) 

for any c e C,g e G and so P(/(X) = /(F) = c) = s^P^X) = /(F)); in 
other words, /(X) is uniformly distributed on C conditioned on f(X) = 
f(X). □ 



Proof of Theorem 2.2. To prove Theorem 2.2 we need to find a set C which 



satisfies the hypotheses of Lemmas 3.1 and 3.2 In fi], they chose C to be a 



uniformly random /c-dimensional affine subspace of [2] n , but since [s] n is not 
a vector space for every s, we will need something slightly more complicated. 

Let s = n™i pf be the prime factorization of s. By the Chinese remain- 
der theorem, the group ([s]",+) is isomorphic to 0£ti([Pi] n3i ) +); let <p ■ 
®i([Pi] n:>i 7 + ) [ s ] n be an isomorphism. Independently for each i = 1, . . . , m 
and j = 1, . . . , ki, let Gjj be a uniformly random /c-dimensional subspace of 
[Pi] n (which is a vector space), and let ai be a uniformly random element 
of [pi] n . Finally, define 

C = </>( ©(oij + G M )) = 0( a,,,) + 0( G 4J ). 

«J i,3 ' i,3 
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Since </>(0jj G^j) is a subgroup of [s] n , the condition of Lemma 3.2 is sat- 
isfied with probability 1. 

To check the condition of Lemma 3.1 note that for any b = 0jj by and 
c = 0ij Cjj in 0™i[p«] n ! , 

P(6jj, cy e aij + Gij) = ^ 2(n ~ fc) 

because Ciy is a uniformly random /c-dimensional subspace of [pi] n - Since 
the ay and Gij are independent, it follows that 



P(0(6),0(c) e C) = n p K;Ai e Cm) = s 



2(n-k) 



That is, the distribution of C satisfies the condition of Lemma 3.1 In 
particular, there exists a non-random C that belongs to the support of 
C, and which also satisfies condition 3 of Theorem 2.2 By the previous 
paragraph, the fact that it belongs to the support of C implies that it also 
satisfies conditions 1 and 2. □ 



4 An upper bound on agreement 



The proof of Theorem 2.4 uses a hypercontractive inequality in much the 
same way as it was used in |l|. The difference here is that [I] used only 
the hypercontractive inequality over the two-point space with the uniform 
measure, while we need one that applies to spaces with more than two 
points. Before stating this hypercontractive inequality, we need to define 
the appropriate Bonami-Beckner-type operator: for a function g : [s] K, 
and some < r < 1, define S T g = rg + (1 - r)Mg. Thus, for any < r < 1, 
and any 1 < p, q < oo, S is an operator L p ([s]) -> L q ([sJ). We define 
T T : L p ([s] n ) L q ([s]) n by T T = Sf n . The operator T T can also be written 
in terms of the Fourier expansion of /; see [To] for details. For us, the crucial 
property of T T is that 

E e f(X)f(Y) = E(T T f) 2 (5) 

when r = y/l - e. This fact was used in 111 for s = 2 to establish Theorem 
in that case. 

The following hypercontractive inequality is due to Oleszkiewicz [8|: 
Theorem 4.1. Fix seN and set a = - , ft = 1 - a. Define 

I p2-2/p _ a 2-2/p \V2 
a ^P) = \ a l-2l P p_pl-2lp a 



2.4 
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Then for any f : [s] r 



I, if r < a(a,p) then 
\\T T fh < 



p- 



We remark that the reason for not having an explicit S(5) in Theo- 
rem |2.4| and its corollaries is that we do not know how to solve for p in 
terms of a(a,p). However, an approximate solution can easily be found on 
a computer, and we used such an approximation to produce Figure [TJ To 
obtain Theorem 2.4, it suffices to study the limit of a(a,p) as a -> 0. Essen- 
tially, a 2 (a,p) « ci! 1-2 / p for small a, and so if we take p to be slightly larger 
than what is needed to solve a l ~ 2 l p = 1 - e, then we will have a(a,p) > 1- e. 
This will allow us to apply Theorem 4.1 with r = \/l - e. 

Lemma 4.2. Let p = p(a,5,e) solve 



a 



(2/p-l)-<5/lna 



1 



Then for any 5 > and e* e (0,1), there is an A(5,e*) > such that a < 
A(6, e*) implies that for all e e (0,e*), 

a 2 (a,p(a, 5, e)) > 1 - e. 

Proof. Note that the definition of p ensures that p < 2 for all a, S, e. By the 
definition of a, 



-2/p _ P_ 



2-2/p _ a 2-2/p 



>0 



2-2/p _ a 2-2/p 



(6) 



Fix e* and 5, and note that as a -> 0, 2-2/p ->■ 1 uniformly for all e e (0, e*). 
Hence, the right-hand side of ([6]) converges to 1 (uniformly in e) as a -> 0. 
Plugging in the definition of p, 



1-e 



= o- 2 {a,p)a l - 2lp a sllna > (1 - o(l))e" 



In particular, the limit of the right hand side is strictly smaller than one, 



and so a (a,p) > 1-e for sufficiently small a. 



□ 



Proof of Theorem 2.J^. Fix e, S > 0. Let A and p be as in Lemma 4.2 and 
define S - 1/A. If s > S then a - 1/s < A and so Lemma 4.2 implies that 
a 2 (a,p) > 1 - e. Thus, ^ and Theorem 4.1 imply that 



i (X,YeA) = \\T VIZe l A \\ 2 <\\l A \\l = F(A)i. 
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Hence, P e (Y e A\X e A) < P(^4) 2 / p_1 . Taking the logarithm and dividing by 
lnP(.A) (which is negative), we have 

MJA) = 7 '— — i^--i = _i=i_- — . □ 

lnP(.A) p Ins Ins 

5 Hamming ball 

In this section, we consider the example of the Hamming ball A s a n con- 
sisting of x e [s] n such that #{i ■ Xi = 0} < - - acy/n. This is an interesting 
example because [I] showed that if a is sufficiently large (depending on e), 
then as n -*■ oo, A2. a ,n achieves the upper bound of Theorem |2.4| We will 
show, however, that this is no longer true for large s. 

Note that lx\=o has mean - and variance s= ^. Thus, the Berry- Esseen 
theorem implies that for any fixed a and s, 

(Q/C \ 
Z <--==) (7) 
\Js-l' 

as n ^ oo, where Z ~ Af(0,l). Moreover, if (Z 1 ,Z 2 ) ~AT(0,( 1 i 6 1 i e )) then 

Z U Z 2 <-—=). (8) 
V s - 1 

In particular, by studying normal probabilities we can use and @ to 
compute lim n _ 00 M € (A s ^ n ). 

Lemma 5.1. Suppose that (Z\, Z%) ~ A/*(0, ( 1 l e )). There is a sufficiently 
small constant c such that for all t > and < e < 1, 

P(Zi >t\Z 2 >t)< P(Zi > t) ce . 



Lemma 5.1 has the following immediate consequence for M e (A Sjan ): 
Corollary 5.2. There exists a constant c such that for any s and a, 

lim M e (A sa , n ) > ce. 

n— >oo 

By comparison, the trivial protocol A = {x : x\ = ■■■ = x^ = 0} has 

Ce 



< 
Ins 



In particular, for a fixed success probability and a sufficiently large alphabet 
s, the trivial protocol recovers clns times as many symbols as the Hamming 
ball protocol. 
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Proof of Corollary \5.fy According to ([7]) and Q, 

logP(^<-^ 2 <-^) 



M e (A Statn ) 



logP(z 1 <-J§ T ) 



Now apply Lemma 5.1 to the numerator (recalling that the denominator is 
negative) : 

logP(Zi < 

lim M e (A s ^ n ) > \ ^J^_ = ce. □ 

logP(Zi < -^L=) 



Proof of Lemma 5. 1 , The proof makes use of the Ornstein-Uhlenbeck semi- 



group P t , defined by 

(P T /)(x) = Ef(e- T x + Vl-e^Z), 

where Z ~ Af(0,l). The Nelson-Gross [2j[7j hypercontractive inequality 
states that 

(EP T \f(Z)\") 1/q <(E\f(ZW) 1/p (9) 
whenever q < 1 + e 2T (p- 1). If we set f(x) = \ x >t and r = -log(l - e), then 

P(Z X , Z 2 > t) = Ef(Z 1 )f(Z 2 ) = Ef(Z)P T f(Z) = E(P r/2 /(Z)) 2 . 

Thus, Q with q = 2 and p = 1 + e~ 2r = 1 + (1 - e) 2 implies that 

2 2 

P(Zi,Z 2 > t) < (E/(Z))M T7 7 = P(Z 2 >i) T ^) 7 <P(Z 2 >t) 1+ce . 
Hence, 

p(z x > t|z 2 > t) < gCglAMg^j) < P(Z2 > n 

W 1 ; P(Z 2 >t) v ; 

References 

[1] A. Bogdanov and E. Mossel. On extracting common random bits 
from correlated sources. IEEE Transactions on information theory, 
57(10):6351~6355, 2011. Arxiv 1007.2135. 

[2] Leonard Gross. Logarithmic Sobolev inequalities. Amer. J. Math., 
97(4):1061-1083, 1975. 



14 



[3] D. Lim, J.W. Lee, B. Gassend, G.E. Suh, M. Van Dijk, and S. Devadas. 
Extracting secret keys from integrated circuits. IEEE Transactions on 
Very Large Scale Integration (VLSI) Systems, 13(10):1200-1205, 2005. 

[4] E. Mossel, R. O'Donnell, and K. Oleszkiewicz. Noise stability of func- 
tions with low influences: invariance and optimality (extended ab- 
stract). In 46th Annual IEEE Symposium on Foundations of Computer 
Science (FOCS 2005), 23-25 October 2005, Pittsburgh, PA, USA, Pro- 
ceedings, pages 21-30. IEEE Computer Society, 2005. 

[5] E. Mossel, R. O'Donnell, O. Regev, J. E. Steif, and B. Sudakov. Non- 
interactive correlation distillation, inhomogeneous Markov chains, and 
the reverse Bonami-Beckner inequality. Israel J. Math., 154:299-336, 
2006. 

[6] E. Mossel, K. Oleszkiewicz, and A. Sen. On reverse hypercontractivity. 
2011. 

[7] Edward Nelson. The free Markoff field. J. Functional Analysis, 12:211- 
227, 1973. 

[8] K. Oleszkiewicz. On a nonsymmetric version of the Khinchine-Kahane 
inequality. Progress In Probability, 56:156-168, 2003. 

[9] Y. Su, J. Holleman, and B.P. Otis. A digital 1.6 pJ/bit chip identifica- 
tion circuit using process variations. Solid-State Circuits, IEEE Journal 
of 43(l):69-77, 2008. 

[10] P. Wolff. Hypercontractivity of simple random variables. Studia Math- 
ematica, pages 219-326, 2007. 

[11] Ke Yang. On the (im)possibility of non-interactive correlation distilla- 
tion. Theoretical Computer Science, 382(2) :157-166, 2007. 

[12] H. Yu, P.H.W. Leong, H. Hinkelmann, L. Moller, M. Glesner, and 
P. Zipf. Towards a unique FPGA-based identification circuit using 
process variations. In 19th International Conference on Field Pro- 
grammable Logic and Applications, pages 397-402. IEEE, 2009. 



15 



